ISC2 - CISSP-ISSMP Information Systems Security Management Professional

Curriculum

CISSP-ISSMP Information Systems Security Management Professional

Domain 1: Leadership and Business Management

1.1 Establish security’s role in organizational culture, vision and mission

• Define information security program vision and mission
• Align security with organizational goals, objectives and values
• Define security’s relationship to the overall business processes
• Define the relationship between organizational culture and security

1.2 Align security program with organizational governance

• Identify and navigate organizational governance structure
• Validate roles of key stakeholders
• Validate sources and boundaries of authorization
• Advocate and obtain organizational support for security initiatives

1.3 Define and implement information security strategies

• Identify security requirements from business initiatives
• Evaluate capacity and capability to implement security strategies
• Manage implementation of security strategies
• Review and maintain security strategies
• Prescribe security architecture and engineering theories, concepts and methods

1.4 Define and maintain security policy framework Determine applicable external standards

• Determine applicable external standards
• Determine data classification and protection requirements
• Establish internal policies
• Advocate and obtain organizational support for policies
• Develop procedures, standards, guidelines and baselines
• Ensure periodic review of security policy framework
• Evaluate service management agreements (e.g., risk, financial)
• Govern managed services (e.g., infrastructure, cloud services)
• Manage impact of organizational change (e.g., mergers and acquisitions, outsourcing)
• Ensure that appropriate regulatory compliance statements and requirements are included in contractual agreements
• Monitor and enforce compliance with contractual agreements

1.5 Manage security requirements in contracts and agreements

1.6 Manage security awareness and training programs

• Promote security programs to key stakeholders
• Identify needs and implement training programs by target segment
• Monitor and report on effectiveness of security awareness and training programs

1.7 Define, measure and report security metrics

• Identify Key Performance Indicators (KPI)
• Associate Key Performance Indicators (KPI) to the risk posture of the organization
• Use metrics to drive security program development and operations

1.8 Prepare, obtain and administer security budget

• Prepare and secure annual budget
• Adjust budget based on evolving risks and threat landscape
• Manage and report financial responsibilities

1.9 Manage security programs

Define roles and responsibilities

• Determine and manage team accountability
• Build cross-functional relationships
• Resolve conflicts between security and other stakeholders
• Identify communication bottlenecks and barriers
• Integrate security controls into human resources processes

1.10 Apply product development and project management principles

• Incorporate security into project lifecycle
• Identify and apply appropriate project management methodology
• Analyze project time, scope and cost relationship

Domain 2: Systems Lifecycle Management

2.1 Manage integration of security into Systems Development Life Cycle (SDLC)

• Integrate information security gates (decision points) and requirements into lifecycle
• Implement security controls into system lifecycle
• Oversee security configuration management (CM) processes

2.2 Integrate new business initiatives and emerging technologies into the security architecture

• Integrate security into new business initiatives and emerging technologies
• Address impact of new business initiatives on security posture

2.3 Define and oversee comprehensive vulnerability management programs (e.g., vulnerability scanning, penetration testing, threat analysis)

• Identify, classify and prioritize assets, systems and services based on criticality to business
• Prioritize threats and vulnerabilities
• Manage security testing
• Manage mitigation and/or remediation of vulnerabilities based on risk

2.4 Manage security aspects of change control

• Integrate security requirements with change control process
• Identify and coordinate with the stakeholders
• Manage documentation and tracking
• Ensure policy compliance (e.g., continuous monitoring)

Domain 3: Risk Management

3.1 Develop and manage a risk management program

• Identify risk management program objectives
• Communicate and agree on risk management objectives with risk owners and other stakeholders
• Determine scope of organizational risk program
• Identify organizational security risk tolerance/appetite
• Obtain and verify organizational asset inventory
• Analyze organizational risks
• Determine countermeasures, compensating and mitigating controls
• Perform cost-benefit analysis (CBA) of risk treatment options

3.2 Conduct risk assessments